Tall assertions here. “Their ISO 9001 Quality Management Systems were broken” seems like a very superficial or way too general an assumption/assertion. This is particularly true for the Pratt & Whitney example where bad parts were “knowingly” shipped. No management system can prevent willful negligence or malice.

Perhaps the real issue is that organizations frequently have flawed or even non-existent business operating systems (BOS). This is much different than an ISO 9001 Quality Management System. ISO 9001 can serve as the foundation for a BOS, but it does not intend and does not claim to assure quality or business excellence. Certainly, companies should be held accountable for failures and flaws of the BOS. Labeling these failures or flaws with ISO 9001 belittles the true nature of the problem.

While I am not a defender of registrars, as a former manager and executive at a few, I can state with some authority that a registrar’s mandate is to assess that the ISO 9001 foundation has all of the minimal required elements. Nothing more.

External auditors are mere mortals. They have varying levels of experience and expertise. To expect an external auditor (that only sees a company for a few days every year) to provide the deep perspective and understanding required to ensure that the BOS is evolved to some undefinable level of excellence is idealistic at best and reckless at worst.

Furthermore, one needs to have a realistic perspective of what an ISO 9001 surveillance audit really is. Like any audit, it is a sampling exercise. An external auditor comes in for a few days a year and samples different areas of the company to find evidence that the minimal ISO 9001 requirements are being met. The auditor cannot see or judge everything. Typically, systemic problems are the focus, not momentary, non-repetitive, or individual failures in an otherwise stable process.

Finally, registrars should be considered corporate confessors. Companies that have constructive relationships with their registrar (relatively rare, I know) encourage their employees to be as open and forthcoming as possible with the auditors. Consequently, auditors and registrars should be treated with a similar level of privilege as attorneys or priests.

Kirill Liberman, President

As odd as this may seem coming from me, I applaud the AIAG for formally taking this position.  Those of you that have been following this blog and are familiar with my integrated management system philosophy (or Lean BOS)  will note that I have been advocating an integrated approach for over a decade.  It is commendable for the AIAG — a group that propagates and profits from standards and the associated training — to evolve to this level.

Business excellence is more than the successful application of some standards.  It is an organization’s business operating system, leadership, and culture that creates success.  As such, quality, environmental, health, and safety concerns must be managed concurrently with regulatory, customer, employee, and investor concerns.  This cannot be done effectively and efficiently with multiple management systems.  Kudos to the AIAG for recognizing this, at least when it comes to ISO 14001 and OHSAS 18001.

Kirill Liberman, President

One of the hot topics for companies dealing with wood and paper products is Chain of Custody Certification (CoC). Initials like FSC, SFI, and PEFC are being discussed, but there’s not always a clear direction into what it is and what’s required.CoC is designed to provide an assurance that forest products and their bi-products originate from a sustainably managed forest. The Sustainable Forest Initiative® (SFI), Forest Stewardship Council (FSC), and Program for the Endorsement of Forest Certification Programs (PEFC) are the predominant industry standards. Is one better than the other? Not really. Are they really different? For primary manufacturers-yes, for everyone else-no. Is there a benefit to dual or triple certification? The costs should be very minimal to obtain all 3. If you’re implementing the system anyway, why not have the flexibility to meet all potential client requests, rather than just an immediate one?The question for companies that aren’t primary manufactures (paper mills, sawmills, etc.) is understanding what’s required when the standard covers all possible participants in the chain. What we want to discuss is what do these companies need to do?All companies wishing to achieve CoC certification are required to meet minimum requirements in product traceability, product storage, product handling, invoicing, and record keeping. The trick is to take what you’re already doing and make the necessary changes rather than create a whole new system. However, as this website has explained certification is a validation of an effective system rather than the end goal, the same is true with CoC. You need a solid system in place and if you’re putting forth the effort to pursue any kind of certification your better set for the long term taking a rationale approach that looks at the system in its entirety.

Now if you don’t have the basics of a management system in place, such as ISO 9000 or ISO 14000, you’ll have more work to do. Looking at the FSC standard (Part 1: Universal Requirements, Section 1 Quality Management) you need to have clearly defined responsibilities, procedures, training, and records in place. Just like with ISO 9000/14001 many companies have this but more as “tribal knowledge” rather than a formal system. I would strongly recommend looking at the same implementation group and same registrar for all your certifications if they are equipped to provide that.

If you have the basics in place the 10 things you need to look at are:

1. Find sources for FSC, SFI, and/or PEFC certified material. (Records and Procedures)
2. Request certification information from the supplier if applicable. (Records and Procedures)
3. Track certified material purchased and sold and make sure you have the support documentation where necessary. (Records and Procedures)
4. Make sure suppliers documentation and purchasing documentation references certified material information where applicable. (Records and Procedures)
5. Identify areas within your process that have the possibility of certified material being mixed with non-certified paper. (Procedures and Responsibilities)
6. CoC is looking for records that are identified, stored, protected, and retrieved, along with information on how long they are to be kept. (Records)
7. Train staff on their roles and responsibilities within the Chain of Custody and keep records of the training. (Training)
8. Implement system to report on the sale of certified materials by customer. (Responsibilities, Procedures, and Records)
9. Complete round of internal audit. (Responsibilities, Procedures, and Records)
10. Complete management review of system. (Responsibilities, Procedures, and Records)

A strong management system, regardless of whether it’s quality or environmental, can make for a much easier integration of CoC or any other standard you pursue.

Chris Carson

As always, large and more progressive companies are the vanguard in this effort.  Some succeed better than others (see Improvement Initiatives Are Like Diets and ISO 9001 Q&A).  What troubles me, however, is that small and mid-sized companies are reluctant to even entertain the idea of an integrated management system (or Lean BOS) because they assume that it is too complex, too time consuming, and too expensive for them.  In my experience this is typically an uninformed opinion.  When one considers that small and mid-sized companies also deal with:

• finding and keeping customers,
• understanding and managing customer requirements and audits,
• resolving customer complaints,
• employee safety, training, competence, satisfaction, and retention,
• process and/or product improvement and optimization,
• corrective and preventive action,
• selecting and managing vendors and purchased items,
• key performance indicators and key metrics,
• environmental impact, and
• regulatory compliance,

then the effort and cost of an integrated management system become a sound business investment.   I understand that investing in organizational development during uncertain economic times is difficult.  But when considering increasing global competition and rising costs, can small and mid sized companies really afford not to invest? If a company does not invest in its own development when times are good or when time are bad, then the prognosis for the company’s future is far more grim than the current economic climate.

Kirill Liberman, President

While this subject deserves a detailed discussion, I finally decided to summarize and generalize my response to this very popular subject.

QMS (and EMS) implementation and consulting costs for any company can vary greatly.  You tend to find this out shortly after starting the research.  The range of prices that you are likely to hear is approximately $500 to $40,000+.  The actual price depends on the size and complexity of your company and on what you are trying to achieve.  It also depends on the level and type of service you are looking for.

On the low end of the scale, you can purchase an “ISO in a can” documentation package for around $500 (some run even less).  This approach will provide you with a set of generic text-based documents that you will then have to edit (fill in the blank) to make them somewhat representative of your company’s operations.  You will still need to have some training for your general staff, management, and internal auditors.  This training can be obtained on the web for a cost that will be measured in the hundreds of dollars.  Like the “ISO in a can” packages this kind of training is usually very generic and therefore limited in its business value, especially for a company that does not make a physical product.  Generally, most mass market, low cost, do-it-yourself ISO product are designed for companies that manufacture/produce some kind of product.

In the lower-middle of the range are providers of “hybrid” services that merge the generic “canned” documentation approach with some hands-on (on-site) training and some coaching.  In general, these approaches do not differ much from the “canned” products.  The resulting QMS or EMS is typically compliance oriented and of limited (if any) business value, but the results are generally better and faster than with a purely “canned” product.  Customers also feel a bit better about the outcome because they received some hand-holding.

On the upper-middle of the range are actual consultants that work directly with companies to implement ISO 9001, TS 16949, AS9100, TL 9000, ISO 13485, or ISO 14001 and OHSAS 18001 in a way that is specific to your company.  The objective and expertise of these consultants is to achieve registration by developing a custom system that meets the minimum requirements of the applicable standard(s).  Using ISO 9001, TS 16949, AS9100, TL 9000, or ISO 13485 as a platform for a high performance business operating system and the application of advanced techniques (e.g. process identification, process mapping, process measurement & monitoring, problem solving & root cause analysis, Lean, Six Sigma, etc.) are typically NOT the objective or part of the service/price.  Furthermore, the approach is usually in the form of a coaching and mentoring relationship.

On the upper range of the scale are management system consultants that help companies engineer or re-engineer a business management system that achieves ISO 9001, TS 16949, AS9100, TL 9000, or ISO 13485 registration as a byproduct.  These consultants are fewer in number and offer both coaching and turn-key support options.  Their skill sets and experience typically extends beyond ISO 9001, TS 16949, AS9100, TL 9000, ISO 13485, ISO 14001 and OHSAS 18001 to include advanced techniques (e.g. process identification, process mapping, process measurement & monitoring, problem solving & root cause analysis, Lean, Six Sigma, etc.).  Furthermore, their service deliverables typically include the seamless integration of advanced methods and rapid deployment & implementation techniques.

The latter two categories most closely describe the range of service and capabilities that my firm and I provide.

Kirill Liberman, President

1. “It’s not my job - call the ‘official’ person in charge of this”

I assume that this refers to a perception of ISO 9001 as a separate thing that exists outside of the company’s and an individual’s daily activities and is the responsibility of some dedicated individual or group within the company. This is a common concern that is not unfounded. Many companies (especially in the early days of ISO 9001) implemented ISO 9001 with the objective of obtaining a certificate that would allow them access to certain customers or markets. In these cases the management system framework stipulated by ISO 9001 was never understood or considered. The focus was on compliance by creating a bunch of documents that would only pass a third party audit. The general staff of the company was never involved in developing the management system and senior management never intended ISO 9001 to be a management system platform.

To overcome this problem my practice focuses on developing a management system that provides value to the organization. ISO 9001 registration should be a byproduct that validates the system, but not the objective. Individuals at all levels of the organization must be engaged in the implementation process. They must participate in developing and improving the processes that they own or participate in. Process ownership is critical. Process owners must be empowered to take control and responsibility for their process. Achieving this is the responsibility of senior management and a core element of my methodology. ISO 9001 clause 5.5.1 Responsibility and authority requires “Top management” to “ensure that the responsibilities and authorities are defined and communicated within the organization.”

The fact is that most profitable companies are doing nearly everything that ISO 9001 requires. They are simply not doing them effectively, consistently, and/or efficiently. Many companies rely on and succeed by the abilities and hard work of its people. These companies focus on managing people. But the focus must be on managing processes. ISO 9001, TQM, Lean, Six Sigma, etc. are all process management and improvement methodologies. None of them focus on managing people, but all address a senior management driven culture of continual improvement.

2. We need this prototype done faster than your quality program inspection will allow

Prototypes are not part of the general production process and should not be subject to the same process and type of controls. Prototypes are typically developed as part the design and development process. The design and development process must be developed as part of the ISO 9001 implementation (Clause 7.3). Prototyping can be part of this process or a separate process, as needed. It is important that the ISO 9001 based management system address the unique nature and requirements of your business and customer requirements, while ensuring consistency and control.

3. We need this piece done faster than your quality program documentation will allow

At no point does ISO 9001 stipulate how fast your system can or cannot produce a product. It is the processes that you design and the way processes are managed that will allow you to make a product at the speed needed by the customer. With this said, ISO 9001 does require that you determine and review product requirements from the customer, including delivery requirements, before you commit “to supply a product to the customer (e.g. submission of tenders, acceptance of contracts or orders acceptance of changes to contracts or orders).” Appropriate processes should be designed to allow for the identification, prioritization, and processing of “rush” orders. Examples of such processes are Sales & Contract Review, Order Processing, Engineering, Production Planning/Scheduling, and various production processes. A well designed management system will address how “rush” jobs are handled through all of the processes that should support a “rush” job. This will ensure that “rush” jobs are handled consistently. In turn, this will ensure that the impact of “rush” jobs on internal resources (e.g. manpower, material, methods, machines, money, etc.) can be measured and assessed.

4. Your outside contractor follows a different system/process than you do - or doesn’t have a system/process at all

From the customer perspective, outsourced processes do not absolve your company of the responsibility of ensuring that the outsourced process meets the stated and implied customer requirements. In clause 7.4 Purchasing, ISO 9001 recognizes this and stipulates that your company must ensure that “purchased product (includes outsourced process) conforms to specified purchase requirements. The type and extent of control applied to the supplier and the purchased product shall be dependent upon the effect of the purchased product on subsequent product realization or the final product.” This means that you must select suppliers that are capable of living up to the same standards that customers expect of you. If they cannot, then you must seek a new supplier or work to develop/improve the existing supplier or develop internal process controls to ensure that the supplied product/service meets requirements. This is a rather complex issue that deserves a separate detailed discussion.

5. We spend 10% of our labor time documenting quality inspections and processes - and creates higher turnover by employees as a result

6. Same as above and our costs go up 10%….

If 10% is true, then the management system is simply poorly engineered. There is significant room for improvement. The system is simply a bad bureaucracy and has little, if any, business value. With this said, there is some overhead associated with maintaining a well designed formal management system. In my experience, even a mediocre formal management system is able to generate a net gain by offsetting its overhead with improvements in consistency, efficiency, training, quality, problem solving, employee satisfaction, and in reductions in errors, rework, customer complaints, returns, and waste.

7. Our quality doesn’t improve but we can identify where the quality error occurred.

ISO 9001 does not and will not ensure quality improvement. ISO 9001 simply provides a framework/platform for a management system. It describes the minimal elements of a world class management system, but it does not provide guidance on how these elements are to be developed and implemented. Execution is completely up to the individual company and its leadership.

Being able to identify where quality problems occur is the first step to improvement. The next (after containment) is identifying the root cause of the problem and developing a corrective action that will eliminate the root cause and will ensure that the same problem does not occur again.

Corrective and preventive actions are a key element of continual improvement. However, the skills and methods used to effectively identify root cause and to develop robust corrective and preventive actions are not stipulated by ISO 9001. ISO 9001 simply requires that you have a formally defined corrective and preventive action system/process. The root cause analysis and corrective action skill sets and methodologies must be developed or acquired and incorporated into the management system. Process Mapping, Value Stream Mapping, SPC, DOE, Regression Analysis, and 8D are just some examples of the many tools and methods available.

8. Who owns ISO 9000 and how much time will they take each year to become certified?

As I discusses in some of the previous comments, ISO 9001 should not be the focus of any management system design and implementation effort. The objective should be to design and implement a value added management system that will meet ISO 9001 requirements by default. So, if the first part of the question is “who owns the management system?,” then the real answer is senior management because management is the ultimate process owner (see Deming).

But to achieve management’s objective of a true management system platform, “individuals at all levels of the organization must be engaged in the implementation process. They must participate in developing and improving the processes that they own or participate in. Process ownership is critical. Process owners must be empowered to take control and responsibility for their process. Achieving this is the responsibility of management and a core element of my methodology.”

If the ISO 9001 based management system was developed for its inherent benefits, then there should be no significant time attributed to maintaining certification. Certainly there is a need to invest time, resources, and money in designing and implementing the initial system. But the only time that should be directly attributed to maintaining ISO 9001 certification is the time that the Management Representative spends facilitating the registration and surveillance audit visits.

9. We spend all this time documenting quality issues and not enough time fixing them

ISO 9001 clause 5.1 Management commitment states that:

“Top management shall provide evidence of its commitment to the development and improvement of the quality management system and continually improving its effectiveness by:
a. communicating to the organization the importance of meeting customer as well as statutory and regulatory requirements;
b. establishing the quality policy,
c. ensuring that quality objectives are established
d. conducting management reviews, and
e. ensuring the availability of necessary resources.”

Furthermore clause 8.5.1 Continual improvement states that:

“The organization shall continually improve the effectiveness of the quality management system through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive actions and management review.”

I quote these clauses to emphasize these 2 points:

1. improvement can only happen if the management system incorporates improvement processes and elements at the appropriate points and levels, and more importantly
2. only senior management can foster a culture and environment of continual improvement.

ISO 9001 certification does not ensure that your company will continually improvement, but it can validate that it is or is not. Furthermore, at best, consultants can only coach, mentor, encourage, support, educate, transfer skills and knowledge, and introduce tools and techniques. Ultimately it is senior management that must provide the vision, leadership, and resources to continually improve the company and its management system.

10. I can’t get anything done on time because everyone is documenting process - or I can’t get what I want done because it’s outside of the process.

As I commented in 5 and 6 above, an overly bureaucratic system that significantly hampers the flow of material and information is simply a poorly designed system. This problem is not the fault of ISO 9001, but rather its execution. Nevertheless, some level of a well organized bureaucracy is a good thing. It provides benefits in the form of “improvements in consistency, efficiency, training, quality, problem solving, employee satisfaction, and in reductions in errors, rework, customer complaints, returns, and waste”.

Regarding operating “outside of the process,” it is not realistic to develop a management system that can clearly account for every possible contingency. This is not the goal of ISO 9001 or of any management system initiative. The goal of a management system is to define, measure, analyze, improve, and control the vast majority of what you do on a daily basis. If customer requirements regularly create scenarios that require deviation from the “norm,” then by definition these are not deviations form the “norm.” In this case the management system must be revised or designed to address how you consistently handle unique scenarios.

Kirill Liberman, President

Perhaps one of the reasons that many of us are still divided on the concept of a small quality manual is that we have not truly considered and understood the actual requirements.  ISO 9001 requirements for a quality manual are: 

1. It must describe/define the scope of the quality management system,
2. It must explain any excluded elements/clauses,
3. It must define or reference the “documented procedures” that make up your quality management system, and
4. It must describe/show the interaction of the quality management system processes

At no point does ISO 9001 stipulate how long the quality manual should be.  It does not even say that it should be a singe document.  Nor does it suggest that it should even be in text format. Another possible source of confusion and diverging opinions is the use of the terms “procedure” and “processes”.  We can all agree that the intent of ISO 9001 is to serve as a process management platform.  However, it only applies the word “documented” to procedures.  This begs the question: should we not document our processes?  For those of us that practice more that just ISO compliance, the answer is: of course we should.  If you agree, then replace the word “procedure” with “process” and think about the requirements again.  Now the QMS must:

1. Define or reference the “documented processes” that make up your quality management system, and
2. Describe/show the interaction of quality management system processes.

Why not draw a picture of this on one or two pieces of paper?  Why use paper? In my practice I do this all the time.  Hundreds of clients have embraced this approach and never has this been an issue with any registrar.  Granted, customers may want to see the details of the actual “documented process” which is fine.  Show then the process(es) and show them how that process fits into the overall process based quality management system with your new short quality manual or Lean QMS^® Map.

Kirill Liberman, President

Improvement methods/initiatives like Lean, Six Sigma, TQM, Theory of Constraints, ISO, etc. are very much like diets.  When a company is committed to and focused on applying the flavor or diet of the month, it inevitably achieves the improvements it sought.  However, most companies shift the focus to another area, problem, or initiative once the initial gains have been achieved.  The result is that the initial improvements spring back over time.  No one ever publicizes this fact so we only hear about the initial success.  In fact, many success stories are improvements on improvement initiatives that did not take hold from years before.

The problem is that most improvement initiative and tools do not address the need for a management system platform and culture that must sustain the improvement over time.  They just assume that it is there.  In fact, most organizations do not have a management system platform that was engineered and evolved to absorb the improvements and to make them permanent.  In these cases most improvement initiatives are ultimately doomed to long term failure.

So what must we do to avoid this trap?  Like Stephen Covey said: “seek first to understand, then to be understood.”  Start by focusing on understanding your organization’s processes and their interaction.  Then standardize and stabilize these processes.  Involve people at all levels of the organization in this effort to ensure process ownership, responsibility, and consistency.  You will be surprised by how much “low hanging fruit” you will find.  Use process mapping to capture and document the resulting current state.  Then develop appropriate process measurables to measure and monitor the processes.  The result will be a management system platform and infrastructure that will allow you to much more rationally, practically, and effectively apply improvement tools and methods.

Sorry folks, there is no silver bullet.  Improvement and organizational excellence are a journey, not an event.

Kirill Liberman, President